FW: Windows 7 Kerb bug

Tom Yu tlyu at MIT.EDU
Tue Oct 6 11:46:04 EDT 2009 

Jeffrey Altman <jaltman at secure-endpoints.com> writes:

> The problem is not an OpenAFS issue.   The problem is a bug in netbios
> name resolution in Windows 7.  Concerned organizations should report
> the issue to Microsoft in order to ensure that it will be fixed.
>
> Jeffrey Altman

Based on the rather lengthy series of forwarded messages, it was not
clear that the underlying issue was a NetBIOS name resolution bug.  I
would have found it helpful to have a summary of which bug to report,
and what information was most important.

>
>
> Tom Yu wrote:
>> Alexander Kozlov <akozlov at MIT.EDU> writes:
>>
>>> Hi,
>>>
>>> We run Windows 7 release project and got this report about Kerberos client issue with Windows 7. Are there any plans to update the client or windows client has been discontinued? Can you provide us with an update on any plans on a new client?
>>>
>>> Thanks,
>>>
>>> Alex
>>
>> We have a kfw-3.2.3 release in alpha testing.  It should work on
>> Windows 7 and amd64 Windows.
>>
>>     http://web.mit.edu/kerberos/dist/testing.html
>>
>> The problem described below appears to be an OpenAFS issue, not a KfW
>> issue, though.
>>
>>> _________________
>>> Important: MIT IT staff will *NEVER* ask you for your password, nor will MIT send you email requesting your password information. Please continue to ignore any email messages that claim to require you to provide such information.
>>>
>>> Alexander Kozlov
>>> Windows Platform Coordinator
>>> Software Release Team
>>> Information Services and Technology
>>> N42- 250C
>>> (617) 253-5103
>>>
>>>
>>> -----Original Message-----
>>> From: Patrick M McNeal [mailto:mcneal at MIT.EDU] 
>>> Sent: Friday, September 25, 2009 10:39 AM
>>> To: akozlov at mit.edu
>>> Subject: Fwd:Windows 7 Kerb bug
>>>
>>> FWI
>>>
>>> Begin forwarded message:
>>>
>>>> From: Arthur P Prokosch <arthurp at csail.mit.edu>
>>>> Date: September 25, 2009 10:22:39 AM EDT
>>>> To: "mcneal at mit.edu" <mcneal at mit.edu>
>>>> Subject: MacOS 10.6 licenses? and, Windows 7 Kerb bug
>>>>
>>>> Also, I wanted to pass on a report that we had of Kerberos for Windows
>>>> hogging CPU and refusing to quit under Windows 7.  Can you direct it  
>>>> to
>>>> the right place (MIT's "manager of the Microsoft PSS account" was
>>>> suggested), or is there somewhere else I should email this report to?
>>>>
>>>> Ridiculous amounts of detail follows.
>>>> Thanks,
>>>> -arthur.
>>>>
>>>> Subject: Bug in Windows 7 RTM causing netidmgr to max out CPU and  
>>>> can't be killed
>>>> Date: Thu, 20 Aug 2009 10:19:53 -0400
>>>> To: help at csail.mit.edu
>>>> From: Johnny Russ <jruss at mit.edu>
>>>>
>>>> I am running Windows 7 on my machine at home. I know that it isn't
>>>> supported by you guys obviously. However, I was having a problem with
>>>> network identity manger becoming unresponsive sometimes, so I  
>>>> contacted
>>>> the kerberos mailing list and Jeffrey Altman helped me track down a  
>>>> bug.
>>>> Our conversation is detailed below. He came to the conclusion that  
>>>> this is
>>>> a Windows 7 bug and said that best way to file it is through the
>>>> individual that manages the Microsoft PSS at MIT. I couldn't figure  
>>>> out
>>>> who this was. So I thought I would pass this along to TIG in hopes  
>>>> that
>>>> the info can get to the right person. Also I thought you might want to
>>>> know so that maybe some problems can be avoided when Windows 7 gets  
>>>> more
>>>> popular in a few months.
>>>>
>>>>
>>>>
>>>> Forwarded conversation
>>>> Subject: netidmgr maxing out CPU and can't be killed on Windows 7 RTM
>>>> ------------------------
>>>>
>>>> From: *Johnny Russ* <jruss at mit.edu>
>>>> Date: Sat, Aug 15, 2009 at 3:40 PM
>>>> To: kerberos at mit.edu
>>>>
>>>>
>>>> I have a desktop PC running Windows 7 32-bit and a laptop running
>>>> Windows 7 64-bit. I use kerberos and network identity manager to
>>>> access my AFS files. Everything seems to work fine. Except that
>>>> randomly (every few days or so) I will notice my CPU is maxed out.
>>>> When I check the task manager netidmgr.exe and explorer.exe will be
>>>> the 2 processes that are maxing out the CPU. This usually happens when
>>>> I am not even directly using netidmgr or AFS. I cannot kill them from
>>>> task manager, with taskkill, or with pskill from sysinternals. I have
>>>> to reboot to stop them from maxing out the CPU.
>>>>
>>>> I realize that Windows 7 is not officially supported or even
>>>> officially released yet, but it will be soon. Network Identity
>>>> Manager, Kerberos, and AFS all seem to work fine without any issues. I
>>>> was just curious if anybody else is running Windows 7 and seeing this
>>>> issue. How can I confirm that this is actually a bug when running
>>>> under Windows 7? Or even better any ideas how to avoid it would be
>>>> appreciated.
>>>>
>>>> ---------
>>>>
>>>> From: *Johnny Russ* <jruss at mit.edu>
>>>> Date: Tue, Aug 18, 2009 at 7:35 PM
>>>> To: netidmgr at secure-endpoints.com
>>>>
>>>>
>>>> Here is a process monitor log file. I have filtered out everything but
>>>> exporer.exe netidmgr.exe and afsd_service.exe. I had to truncate the
>>>> log file because it was too big. After what I have in the log file
>>>> explorer.exe continuously puts out the "CreateFile" operations with
>>>> the "NAME NOT FOUND" result. I don't seen any more events from
>>>> netidmgr or afsd_service. Let me know if there is something else I can
>>>> provide.
>>>>
>>>> ----------
>>>> From: *Jeffrey Altman* <jaltman at secure-endpoints.com>
>>>> Date: Tue, Aug 18, 2009 at 8:22 PM
>>>> To: jruss at mit.edu, netidmgr at secure-endpoints.com
>>>>
>>>>
>>>> afsd_service.exe is writing frequently to the Windows Application  
>>>> Event
>>>> Log. What events are being logged?
>>>>
>>>> ----------
>>>> From: *Jeffrey Altman* <jaltman at secure-endpoints.com>
>>>> Date: Tue, Aug 18, 2009 at 8:25 PM
>>>> To: jruss at mit.edu, netidmgr at secure-endpoints.com
>>>>
>>>>
>>>> I do not see a lot of activity from netidmgr.exe but I do see a ton  
>>>> from
>>>> explorer.exe. Explorer.exe is attempting to open
>>>> C:\Windows\CSC\v2.0.6\namespace\afs which might imply that \\AFS was
>>>> marked for use as an offline folder. Can you check that?
>>>>
>>>> ----------
>>>> From: *Johnny Russ* <jruss at mit.edu>
>>>> Date: Wed, Aug 19, 2009 at 9:26 AM
>>>> To: netidmgr at secure-endpoints.com
>>>>
>>>>
>>>> I have attached an event file for the events that AFS was triggering
>>>> at the time I created the process monitor log. It is a "Warning" and
>>>> it says, "Unable to Send SMB Packet: NRC_SABORT session ended
>>>> abnormally."
>>>>
>>>> ----------
>>>> From: *Jeffrey Altman* <jaltman at secure-endpoints.com>
>>>> Date: Wed, Aug 19, 2009 at 9:32 AM
>>>> To: jruss at mit.edu
>>>>
>>>>
>>>> what is the output of "nbtstat -n" and "nbtstat -S" at the time of the
>>>> error?
>>>>
>>>> Please also send the afsd_init.log at the time of the error.
>>>>
>>>> ----------
>>>> From: *Johnny Russ* <jruss at mit.edu>
>>>> Date: Wed, Aug 19, 2009 at 9:34 AM
>>>> To: netidmgr at secure-endpoints.com
>>>>
>>>>
>>>> On Tue, Aug 18, 2009 at 8:25 PM, Jeffrey
>>>> I am not able to access that folder. I can get to C:\Windows\CSC but
>>>> when I try to enter v2.0.6 it says that I don't have authorization,
>>>> even with administrative privileges. If I go into the security
>>>> settings it says I am not authorized to see that either. It says that
>>>> it is unable to show me who the owner is. I could try taking ownership
>>>> but I didn't want to do that, because I don't really know what the
>>>> function of that folder is.
>>>>
>>>> I looked at the standard offline folders dialogue, and I don't see any
>>>> reference to AFS in my current offline folders. There is and entry for
>>>> "jruss" which may refer to my local home directory or to the one I
>>>> have mapped via AFS I couldn't find any way to tell. But it is empty.
>>>>
>>>> ----------
>>>> From: *Johnny Russ* <jruss at mit.edu>
>>>> Date: Wed, Aug 19, 2009 at 9:38 AM
>>>> To: jaltman at secure-endpoints.com
>>>>
>>>>
>>>> I will have to wait to recreate the problem before I can check these.
>>>> Here are the entries from afsd_init.log just prior to when I took the
>>>> log from process monitor:
>>>>
>>>> 8/18/2009 6:40:57 PM: smb_LanAdapterChange
>>>> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_BRIDGE,  
>>>> retrying
>>>> ...
>>>> 8/18/2009 6:40:57 PM: NCBLISTEN lana=8 failed with NRC_NOWILD,  
>>>> retrying
>>>> ...
>>>>
>>>> ----------
>>>> From: *Jeffrey Altman* <jaltman at secure-endpoints.com>
>>>> Date: Wed, Aug 19, 2009 at 9:45 AM
>>>> To: jruss at mit.edu
>>>>
>>>>
>>>> the netbios name mapping for the "AFS" name has been lost. Attempts to
>>>> contact \\AFS will fail. My guess is that the SMB redirector is  
>>>> forcing
>>>> offline mode and this is causing pioctl requests to fail in a weird  
>>>> way.
>>>>
>>>> This may be a change in behavior / bug in the Microsoft SMB  
>>>> redirector.
>>>>
>>>> The next time the problem occurs I want you to add the following value
>>>> to the registry
>>>>
>>>> HKLM\SOFTWARE\OpenAFS\Client DWORD "IoctlDebug" 0x01
>>>>
>>>> and then from a command prompt execute "tokens" and then send me the
>>>> output.
>>>>
>>>>
>>>> ----------
>>>> From: *Johnny Russ* <jruss at mit.edu>
>>>> Date: Thu, Aug 20, 2009 at 9:09 AM
>>>> To: jaltman at secure-endpoints.com
>>>>
>>>>
>>>> Sorry everything behaved fine all day yesterday. This morning things
>>>> are off again but it is only explorer.exe that is eating CPU cycles. I
>>>> can get kerberos tickets but no AFS tokens in Network Identity
>>>> Manager. I checked the afsd_init.log and it had that same error at the
>>>> very bottom. I checked and the AFS service is running. Here are the
>>>> outputs from the terminal that you requested:
>>>>
>>>> C:\Users\jruss>nbtstat -n
>>>>
>>>> AFS:
>>>> Node IpAddress: [10.254.254.253] Scope Id: []
>>>>
>>>> NetBIOS Local Name Table
>>>>
>>>> Name Type Status
>>>> ---------------------------------------------
>>>> OPTIMUS <00> UNIQUE Registered
>>>> RUSSHOME <00> GROUP Registered
>>>> RUSSHOME <1E> GROUP Registered
>>>> RUSSHOME <1D> UNIQUE Registered
>>>> ..__MSBROWSE__.<01> GROUP Registered
>>>> AFS <20> UNIQUE Registered
>>>>
>>>> C:\Users\jruss>nbtstat -S
>>>>
>>>> AFS:
>>>> Node IpAddress: [10.254.254.253] Scope Id: []
>>>>
>>>> NetBIOS Connection Table
>>>>
>>>> Local Name State In/Out Remote Host Input
>>>> Output
>>>>
>>>>
>>>> ----------------------------------------------------------------------------
>>>>
>>>> AFS Listening
>>>>
>>>> C:\Users\jruss>tokens
>>>>
>>>> Tokens held by the Cache Manager:
>>>>
>>>> pioctl CreateFile(\\afs\all\_._AFS_IOCTL_._) failed: 0x40
>>>> [The specified network name is no longer available.
>>>> ]
>>>> pioctl SamCompatible logon user: [Optimus\jruss]
>>>> pioctl WNetAddConnection2(\\afs,Optimus\jruss) failed: 0x40
>>>> pioctl WNetAddConnection2(\\afs\all,Optimus\jruss) failed: 0x40
>>>> AFS device may not have started
>>>>
>>>> ----------
>>>> From: *Jeffrey Altman* <jaltman at secure-endpoints.com>
>>>> Date: Thu, Aug 20, 2009 at 9:32 AM
>>>> To: jruss at mit.edu
>>>>
>>>>
>>>> This is a bug in Windows 7. Please file a bug report with Microsoft.
>>>> Notice that "AFS" is a registered Netbios name on the adapter with  
>>>> address
>>>> 10.254.254.253 and yet attempts to access \\afs\all\ fail with
>>>> Jeffrey Altman
>>>>
>>>> ----------
>>>> From: *Johnny Russ* <jruss at mit.edu>
>>>> Date: Thu, Aug 20, 2009 at 9:43 AM
>>>> To: jaltman at secure-endpoints.com
>>>>
>>>>
>>>> Thanks for helping me track this down. Would it be worthwhile posting
>>>> this with OpenAFS? What is the best way to file a bug with Microsoft?
>>>>
>>>> ----------
>>>> From: *Jeffrey Altman* <jaltman at secure-endpoints.com>
>>>> Date: Thu, Aug 20, 2009 at 9:51 AM
>>>> To: jruss at mit.edu
>>>>
>>>>
>>>> There is nothing that I can do as OpenAFS Gatekeeper on this issue  
>>>> until
>>>> a bug is filed with Microsoft.
>>>> The best way for it to be filed would be for the manager of the
>>>> Microsoft PSS account at MIT to do so.
>>>> Otherwise, you can file it as an individual.
>>>>
>>>> Jeffrey Altman
>>>
>>> --Patrick
>>>
>>>
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list